cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need an idea to resolve split procedure

Go to solution
former_member182655
Contributor

on ‎04-02-2015 8:46 AM

0 Kudos

Dear all,

I have the following approval procedure:

  • Manager creates request with roles and systems
  • Approvers make decisions
  • User gets roles and systems (or doesn’t get)

  As soon as I use the rule based on functional area of a role, to determine the approver, my line items with systems are also checked by the rule. And here is the problem: 

If role approvers confirm role assignment, but system approvers don’t confirm the system where the role exists, then we get a conflict between role approvers and system approvers. To resolve the problem I would like to split the procedure into two stages:

  1. System approval procedure
  2. Role approval procedure

I found a post by Madhu Babu where he describes similar procedure for initiator, but even in this case I get the same problem (system approvers working in parallel may decline system assignment, while role approvers may not).

If I create two stages and assign approvers for the system on the first stage then while doing analysis BRF will not find agent for role line items and fall with a workflow error. And vice versa: I get the error on the second stage but for system line items.

Customizing for agents, where I can set approval level, contains only the following entries:

  • Request
  • Role
  • System and Role

So, I can’t resolve my requirement using this option.

Could anyone please give an idea how to resolve my issue?

Regards,

Artem

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182655
Contributor
‎04-09-2015 12:46 PM
0 Kudos

Hi everyone!

I'm again fighting with this problem. To determine the problem in details I've changed rule for agent determination.

I've created a simple path with two stages:

the second stage contains function ZAGRUL_SYSTEMS (generated as a flat rule) which has decision table:

As you can see I expect to get the same approver for the systems and roles.

Then I create a request with the following line items:

Role ZRISK_ROLE_GRC10 has System:SSDCLNT001, so role connector is not initial.

Despite the simplicity of the rule and the request conditions I get error:

WF-BATCH APPL_DEBUG    GRFNMW    MSMP Approval status sync. (LineItem Key     , Line Items 00002, Type     ONE)

WF-BATCH MSMP_DEBUG    GRFNMW    Failed to determine agent

In message log I see the following:

Approver '101DTI00037' for line item '0001' is not valid

Approver '101DTI00037' for line item '0002' is not valid

Roles and profiles for WF-BATCH are assigned (SAP_GRAC_ALL, SAP_ALL, SAP_NEW)

I don’t know why the user is invalid… I could find any information regarding this message, neither in notes nor in Google,

Please help me out with this issue.

Regards,
Artem

Show replies
Show replies
Former Member
‎04-09-2015 1:43 PM
0 Kudos

Hi Artem,

User 101DTI00037 seems not to exist in your GRC system.

COuld you please check if it exists in table usr02?

former_member182655
Contributor
‎04-09-2015 2:07 PM
0 Kudos

Hi Marina!

Thank you for reply again!

Seems you are right! I made a typo!

101DIT00037 instead of 101DTI00037!

I'll try and provide the result.

Regards,

Artem

madhusap
Active Contributor
‎04-14-2015 10:02 AM
0 Kudos

Hi Artem,

I came across your discussion and wanted to understand better so that I can help you as well (if u r facing any issues)

1. GRC request will have ROLES and SYSTEMS.

2. BRF+ rule should return separate Rule Results for SYSTEM and ROLES. Based on the rule results you direct ROLES to one path and SYSTEMS to one path.

3. For SYSTEMS you have created a custom agent to determine approver based on SYSTEM name and for ROLES is it the same agent?

I am confused as you mentioned in your discussion as ROLES go to one stage and SYSTEMS go to one stage? Can you give more details on this and also what is the issue now you are facing so that I will try as well in my system

Regards,

Madhu.

former_member182655
Contributor
‎04-14-2015 10:57 AM
0 Kudos

Hi Madhu!

Glad to see you on my post!

Sorry to confuse you. I meant that after manager made a positive decision to forward request further it should be split into two parts following sequestionally: systems go to one stage, roles go to the other stage that follows after system stage.

And as an additional requerement: roles that assigned to the rejected (on the previous stage) systems should be also rejected automatically,

Truly, I've just finished the critical article about GRC I hope that experts like you can spill some light on the issues.

To you points.

1) Yes

2) Yes. I made it using ROLE_CONNECTOR attribute.

3) No, they are different agents.

Those agents I assigned to different stages which I cannot put one by one (systems first, roles second)

Regards,

Artem

madhusap
Active Contributor
‎04-14-2015 12:55 PM
0 Kudos

Hi Artem,

Just curious is the option to include SYSTEMS in request is necessary for your requirement?

If the user selects a role then each role will have ROLE CONNECTOR which is the system and based on your provisioning settings user gets created and the roles will be assigned.

Ideally the purpose of adding the SYSTEM lineitem in the request is for Validation Error check (whether user already exists in the target system or not etc)

Since your requirement is if SYSTEM is rejected, ROLES for that system also should be rejected why to include the SYSTEM Lineitem separately?

Can you share bit more details on this?

Regards,

Madhu.

former_member182655
Contributor
‎04-14-2015 3:59 PM
0 Kudos

Hi Madhu,

I think I got your idea. You offer don't use SYSTEM, instead of it use Create user for Role assing and change user actions. But then we should disable system selection button for users. Is it possible to make it without code editing?

I haven't thought that we can not use SYSTEM at all, because it's given initially and mandatory

If we can disable system selection then I can focus on role approval procedure only.

Regards,

Artem

P.S. Dear Madhu, please look at my post Is GRC 10.x better than GRC 5.3 and add your vision if have.

madhusap
Active Contributor
‎04-14-2015 4:29 PM
0 Kudos

Hi Artem,

Just remove CREATE USER and CHANGE USER actions from your request type and just keep ASSIGN OBJECT action.

That's it you wont see SYSTEM option under ADD button and will see only ROLE option

Regards,

Madhu.

former_member182655
Contributor
‎04-15-2015 11:07 AM
0 Kudos

Hi Madhu!

Great! Now it works! Of course, not as I described earlier, but it's ok for me.

Regards,

Artem

Former Member
‎11-17-2015 1:24 PM
0 Kudos

We have a similar issue. Removed the Create user/change user option from our request types but still ending up having a message 'No approver at stage found' and request is cancelled at Manager Stage.

I found that it is actually looking for the manager ID and if the manager is not set up in GRC box, the request gets cancelled.

Is this something that can be avoided.

Checked the forum but couldn't get much.

Any help?

Thanks.

former_member182655
Contributor
‎11-17-2015 1:35 PM
0 Kudos

Hi Srihari,

I think it's better to post a new question with the detailed description of your MSMP and BRF+

Regards,

Artem

Former Member
‎11-18-2015 4:59 AM
0 Kudos

Hi Artem,

Thanks for the reply.

Will do.

Regards

Answers (1)

Answers (1)

Former Member
‎04-02-2015 2:58 PM
0 Kudos

Dear Artem,

Your idea about splitting into 2 stages is appropriate. You should only add one condition in your BRF agent rules. It is check if role name is initial. Role name has to be initial in BRF agent rule that is used to define system approver. And otherwise role name has not to be initial in BRF agent rule that is used to define role approver. Could you please try adding this condition?

Show replies
Show replies
former_member182655
Contributor
‎04-02-2015 3:24 PM
0 Kudos

Hello Marina,

Thank you very much for the reply!

Unfortunately, your recommendation is not applicable. As I wrote previously, this method doesn't work, because it check every line item in a request, so that if I make 2 stages and assign rule with "Role name check=initial" for the 1st and "Role name check=not initial" for the 2nd, on the 1st stages it cannot get approvers for roles, and cannot get approvers for systems. System shows that no agent found in log file. By the way, I use another attribute to differ Roles and Systems, it's Role connector.

Here is my test results:

As you can see two rules are described here (LOOP_REQST_LINEITEMS for roles and LOOP_SYSTEM_OWNER for system). But acording to my requirement I should deactivate LOOP_REQST_LINEITEMS for the 1st stage and deactivate LOOP_SYSTEM_OWNER for the 2nd. In this case my test shows blank lines and as a result I get error at workflow level: no agent found.

Could you tell me please how to resolve this problem? Is there any mecanism to pass requests with empty approvers to the next stage?

Regards,

Artem

former_member182655
Contributor
‎04-02-2015 4:08 PM
0 Kudos

Example of the error:

BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_RULE:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)

20150402145010.9499260 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_RULE:097:GRFNMW:Error during execution of rule A/E/54DCEC7F84F932D2E1000000C0A80947

20150402145010.9548600 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:APPL_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)

20150402145010.9570270 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:APPL_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)

20150402145010.9591980 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)

20150402145010.9615590 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:138:FDT_EXPRESSIONS:No match found for the given context (ZAGRUL_SYSTEMS)

20150402145010.9635950 :551BE8CED92A3243E1000000C0A80947:COMMON:20150402144902.0592290 :020:00002:TS76308026::WF-BATCH:MSMP/COMMON/20150402144902.0592290:MSMP_DEBUG:075:GRFNMW:Failed to determine agent

I try to deactivate one rule LOOP_SYSTEM_OWNER, so that GRC checks only roles using LOOP_REQST_LINEITEMS.

Regards,

Artem

former_member182655
Contributor
‎04-09-2015 3:17 PM
0 Kudos

Dear Marina,

Could you tell me please whether you tried to customize required scenario or not?

Because as much I try to configure it (manager- >system approve ->role approve) as much I believe that this is not possible using standard tools such BRF+.

The problem is the same. When I put approvers for system's credentials only the workflow fails with error for role line items (no agent found). To resolve this I should add conditions for roles (role's credentials and approver for it), but this is wrong, because on this stage roles should be approved on the next stage only.

Regards,

Artem

Former Member
‎04-09-2015 3:28 PM
0 Kudos

Dear Artem,

I did not try. But what happened with your scenario that we discussed today about? With second stage which contains function ZAGRUL_SYSTEMS.

It seems to be very nice idea. Does not it work?

Kind regards,

Marina

former_member182655
Contributor
‎04-09-2015 4:08 PM
0 Kudos

Dear Marina,

Unfortunately, it doesn't work...

On the second stage I get "No agent found", it happens because there is no condition for role line item.

A request hangs in status (Running), and no one is able to confirm it. Only reject via administration is allowed.

It's really a serious problem for the product that is branded as very flexible in comparison with GRC 5.3

Regards,

Artem

Ask a Question