cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple users at the same request

Former Member
0 Kudos

Hello all!

When I create a request for multple users (with various managers) if only one of the managers reject the request it is rejected for all users (even those where the manager approved the request). Is there a way to approve the roles from those manager who approved the request? And ignore the rejected ones.

Regards,

Pedro

Accepted Solutions (0)

Answers (1)

Answers (1)

FilipGRC
Contributor
0 Kudos

Hi Pedro,

make sure your rejection level is set to ROLE on stage task settings.

Other options are described below as per SAP HELP. Allows approvers to reject requests for the following levels:

  • Request (Approvers have the authority to reject all roles in a request. For example, security approvers can reject any role relevant to a request.
  • Role (Approvers can only reject those roles that belong to them.)
  • System and Role (Approvers have the authority to reject systems and roles.)

Where to find it?

next here

Let me know,

Filip

Former Member
0 Kudos

Hello Filip,

Thanks for your prompt response. Unfortunately I changed the configuration and still with the problem. Bellow the configuration done:

I have one request with one role for two different users, the users have different managers. When one of the managers reject the request it is finished. Do you know what should I do?

Regards,

Pedro

Former Member
0 Kudos

Sorry Filip,

My bad... I didn´t changes the option on Rejection Level, only on Approval Level. I will test as soon as possible and inform the resulta.

Thanks and sorry again.

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

Hi Pedro,

make sure you activate workflow after done. Also new request need to be created as your workflow does not allowed run-time changes.

Thanks, Filip

ps. If you consider may input as helpful, good practice is to mark as such for other users to see what helped you, also it is a good motivation for everybody to continuously contribute to forum knowledge.

Former Member
0 Kudos

Hi Filip,

Now the request is going to the Role Owner Approval Stage, unfortunately it is being rejected automatically as soon as it arrives.

1 - The first manager rejects the request.

2 - The second manager approves the request.

3 - The request goes to the RO approval step as is cancelled automatically by the system.

I did the same thing with both managers approving the request, then everything worked fine.

Can you help?

Regards,

Pedro

Former Member
0 Kudos

Hi,

I believe you are using three step approval process. If any one the approver rejects request, it will be cancelled automatically.

For ex.in first stage manager approved, in second stage manger rejected request. In this case, Request wont trigger to third stage.

There is one more settings particularly related to approvals by different persons in same stage.you can review under path settings.You can use Any one approver rather than all Approvers option.

Thanks

Mohan

FilipGRC
Contributor
0 Kudos

Hi Pedro,

keep settings for approval type : All approves, as otherwise - multiple user access request will not work as expected - single approval will be sufficient to push request to next stage.

How did you reject the request?

If you did this on header level - please remember - this is valid for entire request - even for users which are not on the visible list (are hided). You reject the request on header level by one manager - and entire request will be rejected.

This is how rejection works.

Please try to - on line item level - role on access request 'not accept' and submit request with decision not to approve on single line item - then it should work as expected- this will not go to Role Owner

Filip

Former Member
0 Kudos

Hello Filip and Mohan,

Thanks for your replies. Unfortunately this configuration was already ok. Bellow prints from the actual configuration:

Manager step:

RO step:

LOG:

Any ideas?

Thanks in advance,

Pedro

Former Member
0 Kudos

Someone knows if this configuration is correct? Am I missing something?

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

Does Role Owner stage has agent defined?

It looks like there is no agent defined which is causing autoapproval.

Filip

Former Member
0 Kudos

Hi,

Can you share screenshot of stage settings by clicking Modify button?

It looks like one manager approved request and another manager rejected it.

Thanks

Mohan

Former Member
0 Kudos

Hi Filip,

The actual configuration is the same from the print screen above.

Manager step = Manager Stage

RO step = Role Owner Stage

Regards,

Pedro

Former Member
0 Kudos

Hello Mohan,

Please check the print screens above. They are from the configuration screen you´ve requested.

Regards,

Pedro

Former Member
0 Kudos

Any idea? 😕

Regards,

Pedro

Former Member
0 Kudos

HI Pedro,

Screenshot shows specific to stage settings.

I would like to see settings of Agent you used and settings of that.you can click on Modify of particular stage, on bottom of screen this information will be there. Please share screenshot.

Thanks

Mohan

Former Member
0 Kudos

Hi Mohan,

Bellow the screens requested:

RO Stage configuration (the fields pointed by the red arrow where blank, I changed them but no luck):

Additional information:

When all the manager Approve the request the RO Stage works fine. This issue happens only when one or more Manager reject the request.

Thanks in advance,

Pedro

FilipGRC
Contributor
0 Kudos

Pedro,

happy 2015!

Configuration looks good. Are you sure role has role owner assigned?

Tell me how exactly do you reject the request? Maybe here is a problem...Manager stage can reject entire request while doing it on header level, as this is how it works by standard in SAP.

Did u try to create request with 3 users and 3 diff managers.

F.

Former Member
0 Kudos

Hi Filip,

Thanks for your reply an happy 2015 for you too!!!

Well, here we go.

The request has two users. UserA and UserB.

UserA is linked with ManagerA

UserB is linked with ManagerB

The request is to concede the Role "Role123" for both. This means the Role Assignment is made by the same user.

If ManagerA and ManagerB approve the request, everything goes fine, including the Role Owner stage.

If one of the Managers reject the request the problem happens as bellow:

ManagerA rejects.

ManagerB approves.

Request goes to the RO stage and a few seconds after the request is ended without providing the access or requesting the Role Owner approval.

Very strange.

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

This is what I understand from previous discussion. I have 2 questions.

(Q1)

Has this role123 have role owner assigned? Can you make sure - approve user assignement check box has been selected.

(Q2)

How do you do rejection? SAP GRC works in a way - when request is splited per user in fact still this is the same request - but each manager can only see his own's users, but in fact can reject entire request in the sense that if you go to 'other actions' - -> reject request - it will reject entire request and it will never go to role owner.

I do not see from Audit log that request actually went to Role Owner stage, as no exact role owner

F.

Former Member
0 Kudos

Q1 - Yes. This same worflow works when both manager approve the request. And I was using the same role.

Q2 - I rejected at the role level, not request level (header).

Please check the log bellow for a better understanding:

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

Can you add a screen when you approve, to see how it is presented in audit log when request is awaits on role owner stage  ?

it looks like some post-installation steps are missing.Where they executed?

F.

Former Member
0 Kudos

Hi Filip,

Post installation was made as requested in the Installation Guide. The request doesn´t stop at the Role Owner Stage. The last Manager approves/rejects and the request is ended. I just know that it passed by the Role Owner Stage because of the logs.

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

Hi,

when I look at those logs it look strange, as normaly you would have similar entry like those for manager with user ID being visable.

Can you approve on manager stage and post audit log from role owner stage?

F.

Former Member
0 Kudos

Hi Pedro,

As per understanding,GRC wont provision until end of request if provisioning maintained as "Auto Provisioning at end of Request".

Thanks

Mohan

Former Member
0 Kudos

Hi Filip,

Bellow as requested:

Regards,

Pedro

Former Member
0 Kudos

It´s like the workflow doesn´t find the Role Owner ID when one of the Manager rejects the assignment.

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

exactly, once it did not find - it close the request and goes to auto provisioning at the end of the request.

Strange behavior, let me think.

F.

Former Member
0 Kudos

Filip,

You made me work in a double check to see if all the Post Installation steps where really ok. I found two BC Sets from AC that were not enabled.

GRAC_SPM_CRITICALITY_LEVEL

GRC_MSMP_CONFIGURATION

Can this be the issue? Is it ok for me to activate them? If yes, I will loose the MSMP configuration?

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

GRC_MSMP_CONFIGURATION may have an impact.

Please activate and next generate new MSMP workflow version.

F.

Former Member
0 Kudos

Man, this is crazy! Nothing changed. Exactly the same issue. 😕

Regards,

Pedro

Former Member
0 Kudos

Hello Filip,

This note solve the problem:

1950981 - Problems with multiple requests in GRC AC

Thanks to all for the help in special to Filip!!!

Regards,

Pedro

FilipGRC
Contributor
0 Kudos

Hi Pedro,

I am very glad to hear that.

I have seen that note, but the description does not correspond to problem you had.


Lucky you, that you tried to check it.

Please close the thread, so it is easier for others to see problem was solved, otherwise it is pending as open. Also if you believe some of my posts were helpful to final solutions you can mark them as such to speed up problem solving process for others users of our community,

Regards,

Filip

rindia
Active Contributor
0 Kudos

Hi Pedro,

Nice to know that your problem is solved. After seeing this thread I tried to replicate your scenario.

I had taken two users with different managers and submitted the request with single role assigned.

User1 -> Manager1

User2 -> Manager2

I logged in as Manager1 and can see both the users in the same request. I would like to see only the User1 which i had not. On line item I choosed Reject and clicked on Submit.

Now I logged in as Manager2. This time I choosed Approve and clicked on Submit.

My path has 2 stages only. In first stage goes to 2 manager's approval and in second stage goes to Security approval.

Now the request is closed without going to second stage as in first stage, the first manager had rejected the request.

However, If both the managers are accepting, it is going to second stage and users are created and roles are provisioning properly.

I taken care of:

a. In MSMP, the Approval type is "All Approvers".

b. One User per Request per System" to "NO" (As per SAP note 1950981)

c. Provisioning option: Auto provisioning at the end of each path (Global and System)

Regards

Raj

FilipGRC
Contributor
0 Kudos

Try to setup rejection on Role level. See very up of this thread.

Rejection made by one of the manager was for all user on access request - therefore it is closed/rejected.

Filip

rindia
Active Contributor
0 Kudos

Hi Filip,

It is at "System and Role" level. Hence I changed to Role level, activated the MSMP flow, raised the new request again.

Manager1 click on Reject and then submit.

Manager2 click on Approve and submit.

It is not going to stage 2, behaving the same as before.

Regards

Raj

FilipGRC
Contributor
0 Kudos

Did you activate WF after the change?

rindia
Active Contributor
0 Kudos

Hi Filip, I activated the WF.