on 04-02-2015 8:46 AM
Dear all,
I have the following approval procedure:
As soon as I use the rule based on functional area of a role, to determine the approver, my line items with systems are also checked by the rule. And here is the problem:
If role approvers confirm role assignment, but system approvers don’t confirm the system where the role exists, then we get a conflict between role approvers and system approvers. To resolve the problem I would like to split the procedure into two stages:
I found a post by Madhu Babu where he describes similar procedure for initiator, but even in this case I get the same problem (system approvers working in parallel may decline system assignment, while role approvers may not).
If I create two stages and assign approvers for the system on the first stage then while doing analysis BRF will not find agent for role line items and fall with a workflow error. And vice versa: I get the error on the second stage but for system line items.
Customizing for agents, where I can set approval level, contains only the following entries:
So, I can’t resolve my requirement using this option.
Could anyone please give an idea how to resolve my issue?
Regards,
Artem
Hi everyone!
I'm again fighting with this problem. To determine the problem in details I've changed rule for agent determination.
I've created a simple path with two stages:
the second stage contains function ZAGRUL_SYSTEMS (generated as a flat rule) which has decision table:
As you can see I expect to get the same approver for the systems and roles.
Then I create a request with the following line items:
Role ZRISK_ROLE_GRC10 has System:SSDCLNT001, so role connector is not initial.
Despite the simplicity of the rule and the request conditions I get error:
WF-BATCH APPL_DEBUG GRFNMW MSMP Approval status sync. (LineItem Key , Line Items 00002, Type ONE)
WF-BATCH MSMP_DEBUG GRFNMW Failed to determine agent
In message log I see the following:
Approver '101DTI00037' for line item '0001' is not valid
Approver '101DTI00037' for line item '0002' is not valid
Roles and profiles for WF-BATCH are assigned (SAP_GRAC_ALL, SAP_ALL, SAP_NEW)
I don’t know why the user is invalid… I could find any information regarding this message, neither in notes nor in Google,
Please help me out with this issue.
Regards,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Artem,
I came across your discussion and wanted to understand better so that I can help you as well (if u r facing any issues)
1. GRC request will have ROLES and SYSTEMS.
2. BRF+ rule should return separate Rule Results for SYSTEM and ROLES. Based on the rule results you direct ROLES to one path and SYSTEMS to one path.
3. For SYSTEMS you have created a custom agent to determine approver based on SYSTEM name and for ROLES is it the same agent?
I am confused as you mentioned in your discussion as ROLES go to one stage and SYSTEMS go to one stage? Can you give more details on this and also what is the issue now you are facing so that I will try as well in my system
Regards,
Madhu.
Hi Madhu!
Glad to see you on my post!
Sorry to confuse you. I meant that after manager made a positive decision to forward request further it should be split into two parts following sequestionally: systems go to one stage, roles go to the other stage that follows after system stage.
And as an additional requerement: roles that assigned to the rejected (on the previous stage) systems should be also rejected automatically,
Truly, I've just finished the critical article about GRC I hope that experts like you can spill some light on the issues.
To you points.
1) Yes
2) Yes. I made it using ROLE_CONNECTOR attribute.
3) No, they are different agents.
Those agents I assigned to different stages which I cannot put one by one (systems first, roles second)
Regards,
Artem
Hi Artem,
Just curious is the option to include SYSTEMS in request is necessary for your requirement?
If the user selects a role then each role will have ROLE CONNECTOR which is the system and based on your provisioning settings user gets created and the roles will be assigned.
Ideally the purpose of adding the SYSTEM lineitem in the request is for Validation Error check (whether user already exists in the target system or not etc)
Since your requirement is if SYSTEM is rejected, ROLES for that system also should be rejected why to include the SYSTEM Lineitem separately?
Can you share bit more details on this?
Regards,
Madhu.
Hi Madhu,
I think I got your idea. You offer don't use SYSTEM, instead of it use Create user for Role assing and change user actions. But then we should disable system selection button for users. Is it possible to make it without code editing?
I haven't thought that we can not use SYSTEM at all, because it's given initially and mandatory
If we can disable system selection then I can focus on role approval procedure only.
Regards,
Artem
P.S. Dear Madhu, please look at my post Is GRC 10.x better than GRC 5.3 and add your vision if have.
We have a similar issue. Removed the Create user/change user option from our request types but still ending up having a message 'No approver at stage found' and request is cancelled at Manager Stage.
I found that it is actually looking for the manager ID and if the manager is not set up in GRC box, the request gets cancelled.
Is this something that can be avoided.
Checked the forum but couldn't get much.
Any help?
Thanks.
Dear Artem,
Your idea about splitting into 2 stages is appropriate. You should only add one condition in your BRF agent rules. It is check if role name is initial. Role name has to be initial in BRF agent rule that is used to define system approver. And otherwise role name has not to be initial in BRF agent rule that is used to define role approver. Could you please try adding this condition?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Marina,
Thank you very much for the reply!
Unfortunately, your recommendation is not applicable. As I wrote previously, this method doesn't work, because it check every line item in a request, so that if I make 2 stages and assign rule with "Role name check=initial" for the 1st and "Role name check=not initial" for the 2nd, on the 1st stages it cannot get approvers for roles, and cannot get approvers for systems. System shows that no agent found in log file. By the way, I use another attribute to differ Roles and Systems, it's Role connector.
Here is my test results:
As you can see two rules are described here (LOOP_REQST_LINEITEMS for roles and LOOP_SYSTEM_OWNER for system). But acording to my requirement I should deactivate LOOP_REQST_LINEITEMS for the 1st stage and deactivate LOOP_SYSTEM_OWNER for the 2nd. In this case my test shows blank lines and as a result I get error at workflow level: no agent found.
Could you tell me please how to resolve this problem? Is there any mecanism to pass requests with empty approvers to the next stage?
Regards,
Artem
Example of the error:
BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_RULE:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)
20150402145010.9499260 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_RULE:097:GRFNMW:Error during execution of rule A/E/54DCEC7F84F932D2E1000000C0A80947
20150402145010.9548600 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:APPL_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)
20150402145010.9570270 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:APPL_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)
20150402145010.9591980 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)
20150402145010.9615590 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)
20150402145010.9635950 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:075:GRFNMW:Failed to determine agent
I try to deactivate one rule LOOP_SYSTEM_OWNER, so that GRC checks only roles using LOOP_REQST_LINEITEMS.
Regards,
Artem
Dear Marina,
Could you tell me please whether you tried to customize required scenario or not?
Because as much I try to configure it (manager- >system approve ->role approve) as much I believe that this is not possible using standard tools such BRF+.
The problem is the same. When I put approvers for system's credentials only the workflow fails with error for role line items (no agent found). To resolve this I should add conditions for roles (role's credentials and approver for it), but this is wrong, because on this stage roles should be approved on the next stage only.
Regards,
Artem
Dear Marina,
Unfortunately, it doesn't work...
On the second stage I get "No agent found", it happens because there is no condition for role line item.
A request hangs in status (Running), and no one is able to confirm it. Only reject via administration is allowed.
It's really a serious problem for the product that is branded as very flexible in comparison with GRC 5.3
Regards,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.